C Loader stub flagged by AV

[jack898]

I have used Donut for a while with no issues--my typical usage looks like this:

1. Make a C/C++ program
2. Compile with g++ or gcc
3. Convert the executable to a standalone shellcode with "donut -i program.exe -o program.bin", then inject this binary into a process via CreateRemoteThread.

This worked without issue on Windows 11, even with Windows Defender Real-Time Protection enabled, until a month ago. Now Defender aborts the process before the injected shellcode executes.

Out of curiosity I made a simple windows messagebox shellcode and uploaded it to VirusTotal, and found 15/61 AVs flagging it, presumably via the loader stub.

Defender still seemed to flag it when I used different -e options.. (presumably the stubs for each of these are in the AV databases).

Is there another option I'm missing to obfuscate/change the ASM loader stub itself? Otherwise is there a plan to modify this stub to avoid antivirus detection?

Thanks!

[howmp]

Try ollvm loader: https://github.com/howmp/donut_ollvm

[jack898]

@howmp Thanks for sharing--the shellcode binary gets no hits when I use donut_ollvm to generate it, but still when I inject it via CreateRemoteThread, with Real-time Protection enabled on Defender, the process fast fails via Defender and Defender says threat detected. (Tested injection in Notepad.exe but also a non-Windows process, same results)

Does a different injection technique avoid this? I am able to use CreateRemoteThread with the pe-to-shellcode generated shellcode with no Defender popups.